[Security] Initialize SwitchUserEvent::targetUser on attemptExitUser #14931
Conversation
| @@ -162,7 +162,8 @@ private function attemptExitUser(Request $request) | |||
| } | |||
|
|
|||
| if (null !== $this->dispatcher) { | |||
| $switchEvent = new SwitchUserEvent($request, $original->getUser()); | |||
| $user = $this->provider->loadUserByUsername($original->getUser()->getUserName()); | |||
There was a problem hiding this comment.
you should use the refreshUser method of the user provider instead.
The `SwitchUserEvent` is triggered in case an account is switched. This works okay while switching to the user, but on exit the `SwitchUserEvent` is triggered again with the original User. That User was not initialized by the provider yet. load user by UserInterface instead of username
|
ping @stof do you think this can be merged to 2.3 and up? |
|
Looks like a bug fix, so 2.3. |
|
@rvanlaak Looks good, but can you add a test to avoid future regressions? |
|
Yes I agree, but how can we see or the User is initialized? The |
|
You could check which user instance is passed to |
|
But they are both an instance of |
|
@rvanlaak I opened a new PR request based on the |
|
closing in favor of #15137 |
|
👍 @xabbuh |
…ptExitUser (Rvanlaak, xabbuh) This PR was merged into the 2.3 branch. Discussion ---------- [Security] Initialize SwitchUserEvent::targetUser on attemptExitUser | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #14931 | License | MIT | Doc PR | Commits ------- f999217 trigger event with right user (add test) 01ee3f6 [Security] Initialize SwitchUserEvent::targetUser on attemptExitUser
The
SwitchUserEventis triggered in case an account is switched. This works okay while switching to the user, but on exit theSwitchUserEventis triggered again with the original User. That User was not initialized by the provider yet.